CVE-2024-28105 – This vulnerability in phpMyFAQ allows attackers... (How to Fix)

Q: What is the severity of CVE-2024-28105?

CVE-2024-28105 has a CVSS score of 7.2 (HIGH). This vulnerability in phpMyFAQ allows attackers to upload malicious PHP files by manipulating Content-type and lang parameters during category image uploads. Successful exploitation could lead to remote code execution on the server. All phpMyFAQ installations below version 3.2.6 are affected.

📋 TL;DR

This vulnerability in phpMyFAQ allows attackers to upload malicious PHP files by manipulating Content-type and lang parameters during category image uploads. Successful exploitation could lead to remote code execution on the server. All phpMyFAQ installations below version 3.2.6 are affected.

💻 Affected Systems

Products:

phpMyFAQ

Versions: All versions before 3.2.6

Operating Systems: Any OS running phpMyFAQ

Default Config Vulnerable: ⚠️ Yes

Notes: Requires category image upload functionality to be accessible (typically requires admin privileges).

📦 What is this software?

Phpmyfaq by Phpmyfaq

View all CVEs affecting Phpmyfaq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via remote code execution, allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as part of a botnet.

🟢

If Mitigated

File upload blocked, no code execution possible.

🌐 Internet-Facing: HIGH - Web applications are directly accessible and vulnerable to unauthenticated exploitation.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but external threat actors are blocked.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access to upload files, but the vulnerability bypasses file type validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.6

Vendor Advisory: https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pwh2-fpfr-x5gf

Restart Required: No

Instructions:

1. Backup your phpMyFAQ installation and database. 2. Download phpMyFAQ 3.2.6 or later from the official repository. 3. Replace all files with the new version. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable category image uploads

all

Temporarily disable the vulnerable functionality by removing or restricting access to category image upload features.

Modify phpMyFAQ configuration to disable category image uploads or restrict admin panel access

Web server file extension blocking

linux

Configure web server to block execution of .php files from upload directories.

For Apache: Add 'php_flag engine off' to .htaccess in upload directory
For Nginx: Add 'location ~ \.php$ { deny all; }' for upload paths

🧯 If You Can't Patch

Restrict admin panel access to trusted IP addresses only
Implement web application firewall rules to block malicious file uploads

🔍 How to Verify

Check if Vulnerable:

Check phpMyFAQ version in admin panel or by examining source files. Versions below 3.2.6 are vulnerable.

Check Version:

Check admin dashboard or examine includes/constants.php for version information

Verify Fix Applied:

After updating to 3.2.6+, verify that PHP files cannot be uploaded via category image upload function.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with .php extension
Multiple failed upload attempts
Admin panel access from unusual IPs

Network Indicators:

POST requests to category image upload endpoints with manipulated parameters
Unexpected outbound connections from web server

SIEM Query:

source="web_logs" AND (uri_path="/admin/*upload*" OR uri_path="*category*image*") AND (file_extension=".php" OR content_type!="image/*")

📊 Metadata

CVE ID: CVE-2024-28105

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: March 25, 2024

Last Updated: January 9, 2025

🔗 References

https://github.com/thorsten/phpMyFAQ/commit/9136883776af67dfdb0e8cf14f5e0ca22bf4f2e7 Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pwh2-fpfr-x5gf Exploit,Vendor Advisory
https://github.com/thorsten/phpMyFAQ/commit/9136883776af67dfdb0e8cf14f5e0ca22bf4f2e7 Patch
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-pwh2-fpfr-x5gf Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28105, you might also want to check these: